Skip to main content

Zscaler and Transparent proxying - Part 1

I came across a scenario where i had to accomplish the following tasks

  • Configure Transparent Proxy for the Guest Users of our network
    • Devices may include Laptops Smartphones or Tablets
  • Route the Traffic through an upstream proxy server (Zscaler cloud)
  • Disable Authentication and SSL intercept for seamless internet access

I had read about Squid Cache on several online resources. First task was getting a Unix server [Ubuntu] up and running. Install process is straight forward as is getting squid installed


https://help.ubuntu.com/community/Squid

# apt-get install squid

Next came the configuration file, which is located at /etc/squid3/squid.conf

Additional details about it can be found in the documentation at http://www.squid-cache.org. The following options are needed to get started
  • The default port on which squid accepts traffic is 3128
  • By default squid is configured to block every traffic. however, the configuration files includes details about each option 
The first step is to copy the original configuration file. After doing so, add a rule to define the internal network.

acl localnet src 192.168.0.0/16
Next allow HTTP traffic for the defined network "localnet"

http_access allow localnet

This will allow you to start using Squid as a proxy server by manually defining the server IP address and port in the browser.

The next step is to configure the Zscaler cloud as the upstream server, which is accomplished by the option "cache_peer"

cache_peer cdn.example.com parent 19990 0 default
Note: replace  19990 with the port assigned by zscaler customer service, and cdn.example.com would be your zscaler proxy address.

This returns authentication error.

It turns out someone else faced the same issue with Zscaler and Squid. Thank you! :D


As per the above link, configure a sublocation on the Zscaler portal [squid_test], setting a dummy internal IP address for testing purpose, and enabling XFF on the primary location.

Also make sure to disable Authentication and SSL Intercept for the sub_location.

To test whether Zscaler recognizes the X-Forwarded-For header is easily achieved by a firefox add-on that allows sendind a dummy internal IP within the tcp packet as XFF. At this point you will be able to directly browse through the Zscaler proxy with no authentication prompt or SSL errors

Next step is to configure squid to forward the client IP address as and XFF header. This is achieved by enabling the following option

forwarded_for on

Next up, Transparent Proxy setup.

Part 2 coming soon.....









Labels:

Comments

Post a Comment

Popular posts from this blog

Zscaler and Transparent proxying - Part 2

.... Next step was to configure the Linux OS to NAT port 80 to the proxy port [default is 3128] http://www.tldp.org/HOWTO/TransparentProxy-5.html iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 A quick test to verify whether the above is working was to change the proxy port in the browser to 80 confirmed that the rule was applied and working just as intended. Having verified Squid configuration, I had to find a way to route traffic to the squid server transparently. This could have been achieved by doing policy based routing on the firewall or a more efficient option is to use the WCCP protocol [if your network devices support] This required certain changes on the Squid server, as well as the routers on my network. As per Squid's documentation  here , both WCCP V1 and V2 are supported by the latest version of Squid. Configuration example  from Cisco's website shows how WCCP can be enabled on L3 switches Once WCCP...
Post a Comment
Read more